Make a copy of the boot sector bash-4.1$ dd if=/csci331/csci331img/CSCI331MID.img of=/var/tmp/CSCI331MID.BOOT bs=512 count=1 Determine the number of bytes per sector bash-4.1$ od -A d -j 11 -N 2 -t d2 CSCI331MID.BOOT 0000011 512 0000013 bash-4.1$ BPB_BytsPerSec=512 Determine the number of sectors per cluster bash-4.1$ od -A d -j 13 -N 1 -t d CSCI331MID.BOOT 0000013 8 0000014 bash-4.1$ BPB_SecPerClus=8 Determine the number of reserved sectors bash-4.1$ od -A d -j 14 -N 2 -t d2 CSCI331MID.BOOT 0000014 32 0000016 bash-4.1$ BPB_RsvdSecCnt=32 Determine the number of FATs bash-4.1$ od -A d -j 16 -N 1 -t d CSCI331MID.BOOT 0000016 2 0000017 bash-4.1$ BPB_NumFATs=2 Look at File system type field to determine likely type bash-4.1$ od -A d -j 54 -N 8 -t a CSCI331MID.BOOT 0000054 nul nul nul nul nul nul nul nul 0000062 bash-4.1$ od -A d -j 82 -N 8 -t a CSCI331MID.BOOT 0000082 F A T 3 2 sp sp sp 0000090 bash-4.1$ BS_FilSysType=FAT32 Determine the size of the FAT bash-4.1$ od -A d -j 36 -N 4 -t d4 CSCI331MID.BOOT 0000036 2048 0000040 bash-4.1$ BPB_FATSz32=2048 bash-4.1$ FATSz=$BPB_FATSz32 Determine the total number of sectors bash-4.1$ od -A d -j 32 -N 4 -t d4 CSCI331MID.BOOT 0000032 2097152 0000036 bash-4.1$ BPB_TotSec32=2097152 Does this seems correct? bash-4.1$ ls -l /csci331/csci331img/CSCI331MID.img -r--r--r--. 1 root root 1073741824 Mar 25 21:06 /csci331/csci331img/CSCI331MID.img bash-4.1$ expr $BPB_TotSec32 \* $BPB_BytsPerSec 1073741824 Since this is FAT32, root directory is not stored in reserved sectors bash-4.1$ od -A d -j 17 -N 2 -t d2 CSCI331MID.BOOT 0000017 0 0000019 bash-4.1$ BPB_RootEntCnt=0 Determine the cluster number of the root directory. Expect 2 bash-4.1$ od -A x -j 44 -N 4 -t d4 CSCI331MID.BOOT 00002c 2 000030 bash-4.1$ BPB_RootClus=2 There are 32 reserved sectors 2 FATS with 2048 sectors each 0 root dir sectors, in researved area First data/directory sector is at 4128 Copy the FAT structure bash-4.1$ dd if=/csci331/csci331img/CSCI331MID.img of=CSCI331MID.FAT bs=512 seek=$BPB_RsvdSecCnt count=$FATSz 2048+0 records in 2048+0 records out 1048576 bytes (1.0 MB) copied, 0.0324662 s, 32.3 MB/s Look at first 64 bytes of the FAT bash-4.1$ od -A d -j 0 -N 64 -t x4 CSCI331MID.FAT 0000000 0ffffff8 0fffffff 0ffffff8 00000004 0000016 0fffffff 0fffffff 00000007 00000008 0000032 0fffffff 0fffffff 0fffffff 0fffffff 0000048 0fffffff 0fffffff 0fffffff 00000010 0000064 The first two entries (0 and 1) are not used. Entry #2 is fffffff8. Root directory is only one cluster Entry #3 chains to entry #4 which is the last. Entry #6 -> #7 -> 8 Now to look at root directory FirstDataSector is 4128 BPB_SecPerClus is 8 Size of sector in byte is 4096 (8*512) Sector address of data for clutser N is ((N-2) * BPB_SecPerClus) + FirstDataSector or ((N-2) * 8) + 4128 Read cluster containing root directory bash-4.1$ dd if=/csci331/csci331img/CSCI331MID.img of=CSCI331MID.ROOT ibs=512 skip=4128 obs=4096 count=8 Look a first 8 FAT entries bash-4.1$ od -A d -j 0 -N 256 -t a CSCI331MID.ROOT CSCI331MID 0000000 C S C I 3 3 1 M I D sp bs nul nul } h 0000016 y B y B nul nul } h y B nul nul nul nul nul nul l 0000032 B l nul nul nul del del del del del del si nul _ del del 0000048 del del del del del del del del del del nul nul del del del del schedule.shtm 0000064 soh s nul c nul h nul e nul d nul si nul _ u nul 0000080 l nul e nul . nul s nul h nul nul nul t nul m nul SCHEDU~1.SHT 0000096 S C H E D U ~ 1 S H T sp nul nul sp j 0000112 y B y B nul nul 0 7 q B etx nul t rs nul nul programs 0000128 A p nul r nul o nul g nul r nul si nul A a nul 0000144 m nul s nul nul nul del del del del nul nul del del del del PROGRAMS 0000160 P R O G R A M S sp sp sp dle nul nul sp j 0000176 y B y B nul nul x i y B enq nul nul nul nul nul index.shtml 0000192 A i nul n nul d nul e nul x nul si nul w . nul 0000208 s nul h nul t nul m nul l nul nul nul nul nul del del INDEX~1.SHT 0000224 I N D E X ~ 1 sp S H T sp nul nul sp j 0000240 y B y B nul nul h N u B so nul k ack nul nul Look at the one at offset 96 bash-4.1$ od -A d -j 96 -N 32 -t a CSCI331MID.ROOT 0000096 S C H E D U ~ 1 S H T sp nul nul sp j 0000112 y B y B nul nul 0 7 q B etx nul t rs nul nul Look at its file size field (last four byte) bash-4.1$ od -A d -j 124 -N 4 -t d4 CSCI331MID.ROOT 0000124 7796 Check with directory entry bash-4.1$ ls -l /csci331/csci331mid/schedu~1.sht -rwxr-xr-x. 1 root root 7796 Mar 17 22:57 /csci331/csci331mid/schedu~1.sht Look at the cluster number of the file bash-4.1$ od -A d -j 122 -N 2 -t d2 CSCI331MID.ROOT 0000122 3 Computer offset for data of cluster 3 ((N-2) * BPB_SecPerClus) + FirstDataSector ((N-2) * 8) + 4128 4136 Copy data for cluster 3 bash-4.1$ dd if=/csci331/csci331img/CSCI331MID.img of=CSCI331MID.CLUS3 ibs=$BPB_BytsPerSec skip=4136 obs=4096 count=$BPB_SecPerClus 8+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 0.011762 s, 348 kB/s From FAT see that there is a second cluster of the file -- 4 bash-4.1$ od -A d -j 0 -N 32 -t x4 CSCI331MID.FAT 0000000 0ffffff8 0fffffff 0ffffff8 00000004 0000016 0fffffff 0fffffff 00000007 00000008 Compute offset for data of cluster 4 ((N-2) * BPB_SecPerClus) + FirstDataSector ((N-2) * 8) + 4128 4136 Copy data for cluster 4 bash-4.1$ dd if=/csci331/csci331img/CSCI331MID.img of=CSCI331MID.CLUS4 ibs=$BPB_BytsPerSec skip=4144 obs=4096 count=$BPB_SecPerClus 8+0 records in 1+0 records out 4096 bytes (4.1 kB) copied, 3.2147e-05 s, 127 MB/s Quick look at contents of clutsers 3 and 4 bash-4.1$ head CSCI331MID.CLUS3 CSCI 202 Schedule Feb 26 Upcoming exam and Lab 8 Feb 28 Check it out bash-4.1$ cat CSCI331MID.CLUS3 CSCI331MID.CLUS4 > CSCI331MID.FIL bash-4.1$ dd if=CSCI331MID.FIL of=CSCI331MID.TRM bs=7797 count=1 1+0 records in 1+0 records out 7797 bytes (7.8 kB) copied, 2.7431e-05 s, 284 MB/s bash-4.1$ diff CSCI331MID.TRM /csci331/csci331mid/schedu~1.sht 222d221 < \ No newline at end of file